A compromised device belonging to a North Korean IT worker has revealed the inner workings of the team behind the $680,000 Favrr hack, including their use of Google tools to target cryptocurrency projects.
On-chain investigator ZachXBT reports that the investigation began when an unnamed source gained access to one of the worker’s computers, uncovering screenshots, Google Drive exports, and Chrome profiles that shed light on how the operatives planned and executed their attacks.
By analyzing wallet activity and matching digital fingerprints, ZachXBT verified the source material and linked the group’s cryptocurrency transactions to the June 2025 breach of the fan-token marketplace Favrr. One wallet address, “0x78e1a,” was found to have direct connections to the stolen funds from the hack.
Inside the operation
The compromised device revealed that the six-member team operated under at least 31 fake identities. To secure blockchain development roles, they collected government-issued IDs and phone numbers, and even purchased LinkedIn and Upwork accounts to strengthen their cover.
An interview script found on the device showed the group claiming experience at prominent blockchain companies, including Polygon Labs, OpenSea, and Chainlink.
Google tools were central to their operations. The team used Drive spreadsheets to manage budgets and schedules, while Google Translate helped bridge the language gap between Korean and English. One spreadsheet detailed how the workers rented computers and paid for VPN access to create new accounts for their schemes.
The operatives also relied on remote access tools like AnyDesk, allowing them to control client systems without revealing their true locations. VPN logs indicated activity across multiple regions, effectively masking their North Korean IP addresses.
Additional findings showed the group researching ways to deploy tokens across different blockchains, scouting AI firms in Europe, and identifying new targets in the cryptocurrency sector.
North Korean Hackers Exploit Remote Work to Carry Out Attacks
ZachXBT identified a recurring pattern highlighted in multiple cybersecurity reports: North Korean IT workers securing legitimate remote jobs to infiltrate the cryptocurrency sector. By presenting themselves as freelance developers, they gain access to code repositories, backend systems, and wallet infrastructure.
Among the materials recovered from the device were interview notes and preparation documents, likely intended to be kept on hand during calls with prospective employers.
